Latest News

Sun May 13 19:41:30 EDT 2007 - Daniel Black, a Gentoo developer, has been
very helpful in bringing the autoconf setup up to date. He also provided a
fix for a crash caused by providing an absolute path to
—username-file. Other than that, this release isn’t too
execiting. I promise the next one will include time travel and a paradox
solver.

Mon Feb 12 19:39:59 EST 2007 - Well, I suppose it is about time for another
release. Juan Ezquerro and Henjin Tai-sho submitted most of the changes. I
cleaned up a few little things, including fixing a bug reported on the
Gentoo bug database. It’s been so long since I’ve done a
release that I may have messed something up. So if something is wrong,
please let me know.

Previously I had mentioned that I started a new version of authforce.
Recently Juan Ezquerro started a version based on the ideas from
‘authforce2’. If you are interested in helping him, you can
contact him at <arrase at gulcas.org>. I’m sure he’d
appreciate an extra hand.

Tue Nov 18 11:12:02 EST 2003 - It’s been a while since there has been
a release, but Henjin Tai-Sho has done a lot of work cleaning up bugs, so
I’d like to get a major bugfix release out there. If any of you have
found bugs in authforce, please submit them to me. I’d like to fix as
many bugs as possible. Some of the bugs that were found were pretty major,
so a lot of you aren’t reporting the bugs you found :P

Sun Mar 9 14:19:31 EST 2003 - A while ago I started working on a new
version of authforce. It had an interface where people could drop in new
output modules without recompiling. This would allow people to create
modules to bruteforce many different interfaces, such as a cgi based web
login or even an ftp server if they wanted to. Unfortunately I got lazy
pretty early on and didn’t get much of it done. If anyone is
interested, I still have the code I’ve written so far.

Tue May 22 16:41:11 EDT 2001 - There has been a major bug for a long time
where large password files would cause authforce to segfault. Okay, well,
there were two. I fixed one bug, and then a lot of people reported yet
another bug that messed up even larger files. Anyway, this should be fixed.
If it isn’t, please let me know. Better yet, find the bug and submit
a patch. Also, as always, if any of you have a good password list, submit
them. But you won’t, because nobody ever does :). A good password
list in my eyes is one that is short, and only has very common passwords,
because you aren’t trying to DoS a site :) Well it depends on the
situation. Anyway. Yes. Enjoy. It’s in the download section. P.S. I
released RPMs last time because someone sent them to me, but I am not going
to make it a habit to try to get RPMs built. If people would like to create
rpms and then send them to me, I will happily put them up.

Thu Feb 15 20:03:46 EST 2001 - Okay, today is when I’m ACTUALLY
releasing the new version. I was waiting to get some RPMs setup, and well,
bleh I say. I have some RPMs in the download section, but they may not even
work. I don’t have an RPM system and so I’m not giving it
extensive testing. If they work for you, good. If not, just get the source.
It takes half a second to compile it, and you won’t have tons of
library errors etc. Hopefully I’m going to add some features that
have been sitting on the TODO list for a while. I want to add multiple site
support for one, and also I would like to assemble halfway decent
datalists. If anyone would like to contribute, be my guest.

Mon Feb 12 21:33:46 EST 2001 - It’s an update! Oh my! This version
mainly sports additions by Panagiotis Issaris. He added things like
internationalisation support (with a Dutch translation) and a configure
script. He also added a .spec file for an rpm release. I’m still
looking for good data lists to include with authforce, but since nobody
seems to have any I’ll hopefully try to make my own. As always,
contributions are always welcome. There are a couple things in the BUGS
file that aren’t too complicated, as well as a lot of tiny things in
the TODO file that anyone could do. Enjoy.

Description

Authforce is an HTTP authentication brute forcer. Using various methods, it
attempts brute force username and password pairs for a site. It has the
ability to try common username and passwords, username derivations, and
common username/password pairs. It is used to both test the security of
your site and to prove the insecurity of HTTP authentication based on the
fact that users just don’t pick good passwords.

History

I made this because I was curious how bad people were at choosing decent
passwords. It can also be used to test the security of your site.